A cybersecurity consortium for the financial sector recently launched a program designed to help its bank members receive information about security threats and vulnerabilities that affect their vendors.
As part of its
The consortium, which says it has more than 16,000 users, said the program would enable tech providers to confidentially communicate with thousands of financial institutions at once about sensitive information related to their security environments. An expert in the field said the program is promising, but would need to be combined with requirements for vendors to fix those vulnerabilities to be game-changing.
“Anything you do to help improve security is absolutely good,” said Tari Schreider, an advisor on cybersecurity with Aite-Novarica Group. “However, I don’t think this is going to be much more than security theater.”
According to Teresa Walsh, the FS-ISAC’s head of intelligence, the program will establish more trust between tech vendors and financial institutions, and that will attract participants to it.
“Having a direct line between critical providers and our member financial firms builds trust not only between vendors and individual customers, but also shows that the providers understand our sector as a whole and our resilience needs,” Walsh said.
The program will let vendors’ technical experts communicate with bank security staff during large-scale security upgrades, technical outages, cyber vulnerabilities or incidents, software or hardware misconfiguration incidents, and changes that may affect multiple member institutions. It will all happen in FS-ISAC’s instant messaging platform, Connect.
So far, only the content-delivery-service provider Akamai is participating. Boaz Gelbord, chief security officer at Akamai, said the company “is trusted by more than 325 of the world's financial services firms,” including eight of the 10 largest banks.
As more providers join the program, the consortium will provide each with its own channel in the chat platform, connecting it to an audience of thousands of financial institutions. Among those will be smaller institutions that Gelbord said could derive special benefit because they typically don’t have as much clout with vendors.
“This program extends the collective visibility, experience and expertise we have as the critical providers to financial services organizations of any size or security posture, bolstering protection for those that don’t have the advanced capabilities,” said Gelbord.
Schreider said the program constituted a “great start” — the consortium itself described the program as a “pilot” at launch time — but added that it would need additional work to become practical.
“There are disclosure protocols that need to be changed in order for this to be effective,” Schreider said. He pointed to disclosing and fixing “zero-day” vulnerabilities as an important case. A zero-day vulnerability is a security hole that hackers can exploit because the system vendor doesn’t know about it or, if it does, has not fixed it. In some cases, the vendor discovers the hole and patches it before anyone can exploit it. In other cases, hackers find the hole first or react to publicity about it faster than the vendor.
In November, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve
According to Schreider, if the Critical Providers Program came with agreements between providers and financial institutions that providers have 45 or 60 days to fix a vulnerability before the institutions publicly disclose it, “that would really be something.”
Such a program, Schreider said, would ensure a confidential avenue for providers and banks to discuss vulnerabilities, give providers time to implement a fix and allow banks to bolster their own systems in the meantime.
But Schreider said he was skeptical that the program in its current form would amount to much.
“In theory, it’s a great start, but the devil’s in the details, so how do you really make this pragmatic?” Schreider said.
